Merge pull request #9 from nitin-vavdiya/fix/security-findings

fix: log injection finding and note added for helm release

DEPENDENCIES

@@ -94,6 +94,7 @@ maven/mavencentral/net.minidev/json-smart/2.5.0, Apache-2.0, approved, clearlyde
 maven/mavencentral/net.minidev/json-smart/2.5.1, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.apache.commons/commons-lang3/3.14.0, Apache-2.0, approved, #11677
 maven/mavencentral/org.apache.commons/commons-lang3/3.15.0, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.apache.commons/commons-text/1.12.0, Apache-2.0, approved, #14414
 maven/mavencentral/org.apache.httpcomponents.client5/httpclient5/5.3.1, Apache-2.0, approved, #12911
 maven/mavencentral/org.apache.httpcomponents.core5/httpcore5-h2/5.2.4, Apache-2.0, approved, #10658
 maven/mavencentral/org.apache.httpcomponents.core5/httpcore5/5.2.4, Apache-2.0, approved, #9652

build.gradle

@@ -60,6 +60,8 @@ dependencies {
 
     //utils
     implementation 'org.apache.commons:commons-lang3:3.15.0'
+    implementation("org.apache.commons:commons-text:1.12.0")
+
 
     //Edc
     implementation "org.eclipse.edc:crypto-common-lib:${edcLibVersion}"

charts/ssi-dim-wallet-stub/README.md

@@ -16,12 +16,19 @@
 
 ### Install with released helm chart
 
+Note: ! WIP Chart is not published yet, please use local deployment till chart is published to tractusx
+
 ```
 helm repo add tractusx-dev https://eclipse-tractusx.github.io/charts/dev
 helm install ssi-dim-wallet-stub tractusx-dev/ssi-dim-wallet-stub
 ```
 
 ### Install with local configuration
+
+Step:
+1. Create docker image locally with command `docker build -t ssi-dim-wallet-stub .`
+2. Change docker image in values.yaml
+
 ```
 helm dep up charts/ssi-dim-wallet-stub
 kubectl create namespace wallet

charts/ssi-dim-wallet-stub/templates/deployment.yaml

@@ -42,6 +42,8 @@ spec:
       containers:
         - name: {{ .Values.wallet.appName }}
           image: {{ .Values.wallet.image.repository }}:{{ default .Chart.AppVersion .Values.wallet.image.tag }}
+          securityContext:
+            allowPrivilegeEscalation: false
           imagePullPolicy: {{ .Values.wallet.image.pullPolicy }}
           resources:
             {{- toYaml .Values.wallet.resources | nindent 12 }}

src/main/java/org/eclipse/tractusx/wallet/stub/edc/EDCStubService.java

@@ -30,7 +30,9 @@
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.time.DateUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.wallet.stub.credential.CredentialService;
 import org.eclipse.tractusx.wallet.stub.did.DidDocument;
 import org.eclipse.tractusx.wallet.stub.did.DidDocumentService;
@@ -169,7 +171,7 @@ private static String createSTSWithScope(CreateCredentialWithScopeRequest withSc
      */
     @SneakyThrows
     public String createStsToken(Map<String, Object> request, String token) {
-        log.debug("Getting request to create STS with request -> {} and token ->{}", objectMapper.writeValueAsString(request), token);
+        log.debug("Getting request to create STS with request -> {} and token ->{}", objectMapper.writeValueAsString(request), StringEscapeUtils.escapeJava(token));
         String selfBpn = CommonUtils.getBpnFromToken(token, tokenService);
         KeyPair selfKeyPair = keyService.getKeyPair(selfBpn);
         DidDocument selfDidDocument = didDocumentService.getDidDocument(selfBpn);
@@ -190,7 +192,7 @@ public String createStsToken(Map<String, Object> request, String token) {
         } else {
             throw new IllegalArgumentException("Invalid token request");
         }
-        log.debug("self bpn ->{} and partner bpn ->{}", selfBpn, partnerBpn);
+        log.debug("self bpn ->{} and partner bpn ->{}", StringEscapeUtils.escapeJava(selfBpn), StringEscapeUtils.escapeJava(partnerBpn));
 
         DidDocument partnerDidDocument = didDocumentService.getDidDocument(partnerBpn);
 
@@ -208,7 +210,7 @@ public String createStsToken(Map<String, Object> request, String token) {
 
     @SneakyThrows
     public QueryPresentationResponse queryPresentations(QueryPresentationRequest request, String token) {
-        log.debug("getting request for query credential with body-> {} token -> {}", objectMapper.writeValueAsString(request), token);
+        log.debug("getting request for query credential with body-> {} token -> {}", objectMapper.writeValueAsString(request), StringEscapeUtils.escapeJava(token));
         JWTClaimsSet jwtClaimsSet = tokenService.verifyTokenAndGetClaims(token);
         List<String> audience = jwtClaimsSet.getAudience();
 
@@ -232,7 +234,7 @@ public QueryPresentationResponse queryPresentations(QueryPresentationRequest req
         DidDocument issuerDidDocument = didDocumentService.getDidDocument(callerBpn);
 
 
-        log.debug("Requested VC -> types : {}, caller bpn ->{}", requestedTypes, callerBpn);
+        log.debug("Requested VC -> types : {}, caller bpn ->{}", StringEscapeUtils.escapeJava(StringUtils.join(requestedTypes, ",")), StringEscapeUtils.escapeJava(callerBpn));
 
         //here we will create request VC if not already issued
         //in read world scenario it will give error if requested VC not issued to holder

src/main/java/org/eclipse/tractusx/wallet/stub/portal/PortalStubService.java

@@ -26,6 +26,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.wallet.stub.config.WalletStubSettings;
 import org.eclipse.tractusx.wallet.stub.did.DidDocument;
 import org.eclipse.tractusx.wallet.stub.did.DidDocumentService;
@@ -63,7 +64,7 @@ public class PortalStubService {
     @SneakyThrows
     @Async
     public void setupDim(SetupDimRequest request) {
-        log.debug("Request to setup dim received for company name -> {}, bpn ->{} waiting for 60 sec", request.getCompanyName(), request.getBpn());
+        log.debug("Request to setup dim received for company name -> {}, bpn ->{} waiting for 60 sec", StringEscapeUtils.escapeJava(request.getCompanyName()), StringEscapeUtils.escapeJava(request.getBpn()));
 
         //wait for defined time before pushing data to the portal
         Thread.sleep(portalSettings.portalWaitTime() * 1000);
@@ -83,7 +84,7 @@ public void setupDim(SetupDimRequest request) {
                 )
                 .build();
 
-        log.debug("Did document create for bpn -> {} , didDocument - >{}", request.getBpn(), objectMapper.writeValueAsString(didDocumentRequest));
+        log.debug("Did document create for bpn -> {} , didDocument - >{}", StringEscapeUtils.escapeJava(request.getBpn()), objectMapper.writeValueAsString(didDocumentRequest));
 
         if (!request.getBpn().equals(walletStubSettings.baseWalletBPN())) {
             //post did document to portal
@@ -101,7 +102,7 @@ public void setupDim(SetupDimRequest request) {
     @SneakyThrows
     @Async
     public void createTechUser(CreateTechUserRequest request, String bpn) {
-        log.debug("Request to create tech received for name -> {}, bpn ->{} waiting for 60 sec", request.getName(), bpn);
+        log.debug("Request to create tech received for name -> {}, bpn ->{} waiting for 60 sec", StringEscapeUtils.escapeJava(request.getName()), StringEscapeUtils.escapeJava(bpn));
 
         //For this application, we do not have any external IDP(ie. keycloak)
         //BPN number will be client_id and client_secret to create OAuth token. No validation for client_secret
@@ -114,7 +115,7 @@ public void createTechUser(CreateTechUserRequest request, String bpn) {
                 .clientSecret(bpn)
                 .build();
 
-        log.debug("Technical user details for bpn -> {} , user - >{}", bpn, objectMapper.writeValueAsString(authenticationDetails));
+        log.debug("Technical user details for bpn -> {} , user - >{}", StringEscapeUtils.escapeJava(bpn), objectMapper.writeValueAsString(authenticationDetails));
 
         //wait for configured time
         Thread.sleep(portalSettings.portalWaitTime() * 1000);

src/main/java/org/eclipse/tractusx/wallet/stub/token/TokenService.java

@@ -29,6 +29,7 @@
 import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.time.DateUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.wallet.stub.did.DidDocument;
 import org.eclipse.tractusx.wallet.stub.did.DidDocumentService;
 import org.eclipse.tractusx.wallet.stub.key.KeyService;
@@ -108,7 +109,7 @@ public TokenResponse createAccessTokenResponse(TokenRequest request) {
         SignedJWT signedJWT = CommonUtils.signedJWT(body, keyPair, didDocument.getVerificationMethod().getFirst().getId());
 
         String token = signedJWT.serialize();
-        log.debug("Token created for client id -> {}  token -> {}", request.getClientId(), token);
+        log.debug("Token created for client id -> {}  token -> {}", StringEscapeUtils.escapeJava(request.getClientId()), token);
         return new TokenResponse(token, StringPool.TOKEN_TYPE_BEARER, tokenSettings.tokenExpiryTime() * 60L, 0, 0, "email profile");
     }
 }

src/main/java/org/eclipse/tractusx/wallet/stub/utils/DeterministicECKeyPairGenerator.java

@@ -30,6 +30,7 @@
 import lombok.SneakyThrows;
 import lombok.experimental.UtilityClass;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.text.StringEscapeUtils;
 
 import java.security.KeyPair;
 import java.security.MessageDigest;
@@ -65,7 +66,7 @@ public static KeyPair createKeyPair(String bpn, String env) {
         KeyPair keyPair = generateECKeyPair(secureRandom);
 
 
-        log.debug("Keypair is generated for bpn -> {}", bpn);
+        log.debug("Keypair is generated for bpn -> {}", StringEscapeUtils.escapeJava(bpn));
 
         return keyPair;
     }